Newsflash: Companies Forewarned - Cybersecurity Disclosure High on SEC Radar

The U.S. Securities and Exchange Commission issued an interpretative release on cybersecurity disclosure on February 21, 2018. While the release largely reiterates earlier guidance¹, its endorsement by a unanimous Commission² serves to highlight the SEC’s focus on this topic in light of the “evolving landscape of cybersecurity threats” faced by public companies.

The latest guidance reaffirms and puts the full weight of the SEC behind the earlier guidance, which was explicitly “neither approved nor disapproved” by the Commission. SEC Chairman Jay Clayton further hammered home the agency’s renewed emphasis on cybersecurity in a public statement issued on the same day as the new guidance in which he noted that he had “asked the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews.”

In addition to echoing the 2011 guidance, the latest release also expanded that guidance in several respects:

• Cybersecurity policies and procedures. The release “stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents” as part of public companies’ obligations to maintain adequate disclosure control and procedures. Companies should specifically create cybersecurity policies and procedures, periodically test for compliance and ensure that they are in a position to timely disclose the potential impact of any cyber incidents. Company audit and disclosure committees should consider these matters and reflect such consideration in appropriate minutes.

• Application of insider trading prohibitions in the cybersecurity context. The release offers a reminder to companies of their obligation under Regulation FD “to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents” and of the general insider trading prohibitions under federal securities laws. Companies and their insiders should not trade in company securities prior to the pending public disclosure of a significant cyber incident.

• Disclosure guidance. Despite these warnings and reminders, the release stresses that the SEC does not intend for companies to make specific, technical disclosures about their cybersecurity systems that might expose potential vulnerabilities or provide a “roadmap” to hackers seeking to penetrate companies’ security safeguards. On the other hand, while the Commission recognized that it may take time to discern the impact of a cyber incident, it emphasized that an ongoing investigation was not necessarily grounds to avoid or delay disclosure of a material incident.

Footnotes

_{1) On October 13, 2011, the SEC’s Division of Corporate Finance issued disclosure guidance focusing on cybersecurity. While noting that “no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents,” the October release observed that companies’ increasing dependence on digital technologies has resulted in increasing exposure to risk of cyber incidents and, accordingly, identified a number of disclosure requirements with respect to which a cybersecurity disclosure might be appropriate—for example, in the Risk Factors and Management’s Discussion and Analysis sections of a company’s Annual Report on Form 10 K or in the board risk oversight disclosures in a company’s Annual Proxy Statement on Schedule 14A. 
2) Despite the formal unanimity, support for the guidance among the Commission was not without some reservations. Commissioner Robert J. Jackson, Jr. issued a statement indicating that his support for the guidance was “reluctant,” and Commissioner Kara Stein issued a separate statement in which she noted that she was “disappointed with the Commission’s limited action.”}